Here is the letter I wrote to the SHA-3 mailing list, followed by
replies from Jon Callas and John Kelsey.
---
From: Zooko O'Whielacronx
Folks:
You might be interested in this discussion on the tor-dev mailing list
about a new crypto protocol for Tor:
https://lists.torproject.org/pi
Hi, Robert! Hi, Jon!
As usual, please take me not as being "That fellow who is a pompous
ass and says things that aren't true" but rather as "that fellow who
knows that he is probably wrong about some stuff, and doesn't know a
better way to find out what he's wrong about than getting corrected."
On Fri, Nov 4, 2011 at 9:24 AM, Ian Goldberg wrote:
> On Fri, Nov 04, 2011 at 01:01:09PM +, Robert Ransom wrote:
>> I have also seen parameters for an Edwards curve equivalent to
>> Curve25519; we will need the Edwards-curve parameters in order to
>> implement point addition efficiently in con
On 11/04/2011 08:01 AM, Robert Ransom wrote:
On 2011-11-03, Jon Callas wrote:
However, the safe, sane thing to do is use SHA-256.
SHA-256 sucks unnecessarily on 64-bit processors. Our fast relays are
64-bit.
It may be worth mentioning the newly-standardized SHA-512/256 here. This
is not
On Fri, Nov 04, 2011 at 01:01:09PM +, Robert Ransom wrote:
> I have also seen parameters for an Edwards curve equivalent to
> Curve25519; we will need the Edwards-curve parameters in order to
> implement point addition efficiently in constant time for our EC
> signature scheme.
Hmm? curve2551
On 2011-11-03, Jon Callas wrote:
> Zooko forwarded a hash question over to the SHA-3 competition mailing list,
> and mentioned the discussion that has been going on here. He's going to
> forward over comments that I made and John Kelsey made. Nonetheless, I'd
> like to offer some comments on what
Zooko forwarded a hash question over to the SHA-3 competition mailing list, and
mentioned the discussion that has been going on here. He's going to forward
over comments that I made and John Kelsey made. Nonetheless, I'd like to offer
some comments on what I've read in a larger context.
I don't
On Tue, 1 Nov 2011 14:51:00 -0700
coderman wrote:
> On Tue, Nov 1, 2011 at 1:20 PM, Zooko O'Whielacronx wrote:
> > ...
> > Therefore, in the context of whether we can expect SHA-3 and/or
> > SHA-256 circuits to come built into our chips in the future, the fact
> > that SHA-256 can be implemented
For what it is worth, I would probably prefer Poly1305-AES over HMAC
if I were needing message integrity. I don't know if I would prefer
Poly1305-AES over using an integrated-integrity mode like GCM.
On Wed, Nov 2, 2011 at 2:20 AM, Markku-Juhani O. Saarinen
wrote:
>
> As a hash function research
Watson Ladd:
> (HMAC is a bad idea anyway: quadratic security bounds are not the best
> possible, we have to use nonces anyway to prevent replay attacks, so
> Wegman-Carter is a better idea for better in{faster, more secure}. GCM
> would be an example of this.)
GCM has quadratic security bounds,
On Tue, Nov 1, 2011 at 4:40 PM, Marsh Ray wrote:
>
> On 11/01/2011 03:06 PM, Watson Ladd wrote:
>>
>> GCM is a Wegman-Carter authenticator with polynomial evaluation in
>> GF2^128 as the universal hash and AES as the encryption. As NIST
>> pointed out, neither of those papers had anything to say a
On Tue, Nov 1, 2011 at 1:20 PM, Zooko O'Whielacronx wrote:
> ...
> Therefore, in the context of whether we can expect SHA-3 and/or
> SHA-256 circuits to come built into our chips in the future, the fact
> that SHA-256 can be implemented in a smaller circuit means it would be
> cheaper for a chip m
On Tue, Nov 1, 2011 at 1:36 PM, Watson Ladd wrote:
>
>> See Fig. 17 of http://eprint.iacr.org/2009/510.pdf .
>
> Its wonderful that you provided references, and even told me what diagram to
> look for.
> But figure 17 has every finalist other then Skein outperforming SHA2 in
> hardware (last col
On Tue, Nov 1, 2011 at 12:46 PM, Zooko O'Whielacronx wrote:
>
> On Tue, Nov 1, 2011 at 9:30 AM, Marsh Ray wrote:
> > I too have been following the development of SHA-3 and will toss in my 2c
> > here.
[ommitted...]
>
> Although the SHA-3 designers have indeed tried to optimize for that, I
>
On Tue, Nov 1, 2011 at 9:30 AM, Marsh Ray wrote:
> I too have been following the development of SHA-3 and will toss in my 2c
> here.
Hi Marsh! You made several good points, a few of which I quoted below.
Your points make me think, speaking loosely, that SHA-3 will turn out
to be the best functio
On Tue, Nov 1, 2011 at 5:50 AM, Watson Ladd wrote:
> Turns out that almost everything you said about SHA3 vs SHA256 performance is
> wrong:
I should have specified that from the page I referenced --
http://bench.cr.yp.to/results-hash.html -- I was looking at the first
x86_64 machine: amd64 Sandy
I too have been following the development of SHA-3 and will toss in my
2c here.
On 11/01/2011 06:50 AM, Watson Ladd wrote:
Turns out that almost everything you said about SHA3 vs SHA256
performance is wrong:
http://bench.cr.yp.to/impl-hash/blake256.html
http://bench.cr.yp.to/impl-hash/blake25
Turns out that almost everything you said about SHA3 vs SHA256 performance
is wrong:
http://bench.cr.yp.to/impl-hash/blake256.html
http://bench.cr.yp.to/impl-hash/blake256.html
Blake256 performs better except on the Cortex A. On the ARM v6 it
outperforms SHA256. This includes
the ppc32, hardly anyo
In reference to:
https://lists.torproject.org/pipermail/tor-dev/2011-November/002999.html
> FOR A HASH FUNCTION: SHA256, switching to SHA3 in 2012 when it comes
> out. It might be worthwhile waiting for SHA3 in most places and
> skipping over the SHA256 stage entirely.
The AES contest resulte
19 matches
Mail list logo
